vRA AD to vIDM

Integrating with Active Directory  

 
During configuration, you establish a connection between VMware Identity Manager and your Active  
Directory deployment.  
You can update your Active Directory configuration information in the administration console, by clicking  
the Identity & Access Management tab.  
This chapter includes the following topics:  
“Important Concepts Related to Active Directory,” on page 37  
“Active Directory Environments,” on page 38  
“Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup,” on page 40  
“Managing User Attributes that Sync from Active Directory,” on page 41  
“Configure Active Directory Connection to the Service,” on page 42  
Important Concepts Related to Active Directory  
Several concepts related to Active Directory are integral to understanding how the  
VMware Identity Manager service integrates with your Active Directory environment.

Connector  

The connector, a component of the service, performs the following functions.  
Syncs user and group data between Active Directory and the service.  
When being used as an identity provider, authenticates users to the service.  
The connector is the default identity provider. You can also use third-party identity providers that  
support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the  
connector does not support or for an authentication type the connector does support, if the third-party  
identity provider is preferable based on your enterprise security policy.  
NOTE Even if you use third-party identity providers, you must configure the connector to sync user  
and group data.  
 
 

Installing and Configuring VMware Identity Manager  

Directory  
The VMware Identity Manager service has its own concept of the directory that syncs to Active Directory.  
This directory uses Active Directory attributes and parameters to define users and groups. You create one or  
more directories and then sync those directories with your Active Directory deployment. You can create the  
following directory types in the service.  
 
Active Directory over LDAP. Create this directory type if you plan to connect to a single Active  
Directory domain environment. For the Active Directory over LDAP directory type, the connector  
binds to Active Directory using simple bind authentication.  
 
Active Directory, Integrated Windows Authentication. Create this directory type if you plan to connect  
to a multi-domain or multi-forest Active Directory environment. The connector binds to Active  
Directory using Integrated Windows Authentication.  
The type and number of directories that you create varies depending on your Active Directory environment,  
such as single domain or multi-domain, and on the type of trust used between domains. In most  
environments, you create one directory.  
The service does not have direct access to Active Directory. Only the connector has direct access to Active  
Directory. Therefore, you associate each directory created in the service with a connector instance.  
Worker  
When you associate a directory with a connector instance, the connector creates a partition for the associated  
directory called a worker. A connector instance can have multiple workers associated with it. Each worker  
acts as an identity provider. You define and configure authentication methods per worker.  
The connector syncs user and group data between Active Directory and the service through one or more  
workers.  
You cannot have two workers of the Integrated Windows Authentication type on the same connector  
instance.  

Active Directory Environments  

You can integrate the service with an Active Directory environment that consists of a single Active Directory  
domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active  
Directory forests.  

Single Active Directory Domain Environment  

A single Active Directory deployment allows you to sync users and groups from a single Active Directory  
domain.  
For this environment, when you add a directory to the service, select the Active Directory over LDAP  
option.  
For more information, see:  
In some scenarios, you may need to create this file.  
“Configure Active Directory Connection to the Service”

Multi-Domain, Single Forest Active Directory Environment  

A multi-domain, single forest Active Directory deployment allows you to sync users and groups from  
multiple Active Directory domains within a single forest.  
You can configure the service for this Active Directory environment as a single Active Directory, Integrated  
Windows Authentication directory type or, alternatively, as an Active Directory over LDAP directory type  
configured with the global catalog option.  
The recommended option is to create a single Active Directory, Integrated Windows Authentication  
directory type.  
When you add a directory for this environment, select the Active Directory (Integrated Windows  
Authentication) option.  
For more information, see:  
In some scenarios, you may need to create this file.  
“Managing User Attributes that Sync from Active Directory,” on page 41  
“Configure Active Directory Connection to the Service,” on page 42  
 
If Integrated Windows Authentication does not work in your Active Directory environment, create an  
Active Directory over LDAP directory type and select the global catalog option.  
Some of the limitations with selecting the global catalog option include:  
 
The Active Directory object attributes that are replicated to the global catalog are identified in the  
Active Directory schema as the partial attribute set (PAS). Only these attributes are available for  
attribute mapping by the service. If necessary, edit the schema to add or remove attributes that are  
stored in the global catalog.  
 
The global catalog stores the group membership (the member attribute) of only universal groups.  
Only universal groups are synced to the service. If necessary, change the scope of a group from a  
local domain or global to universal.  
The bind DN account that you define when configuring a directory in the service must have  
permissions to read the Token-Groups-Global-And-Universal (TGGAU) attribute.  
Active Directory uses ports 389 and 636 for standard LDAP queries. For global catalog queries, ports  
268 and 3269 are used.  
 
When you add a directory for the global catalog environment, specify the following during the  
configuration.  
Select the Active Directory over LDAP option.  
Deselect the check box for the option This Directory supports DNS Service Location.  
Select the option This Directory has a Global Catalog. When you select this option, the server port  
number is automatically changed to 3268.
Also, because the Base DN is not needed when  
configuring the global catalog option, the Base DN text box does not display.  
 
Add the Active Directory server host name.  
If your Active Directory requires access over SSL, select the option This Directory requires all  
connections to use SSL and paste the certificate in the text box provided. When you select this  
option, the server port number is automatically changed to 3269.  

Multi-Forest Active Directory Environment with Trust Relationships  

A multi-forest Active Directory deployment with trust relationships allows you to sync users and groups  
from multiple Active Directory domains across forests where two-way trust exists between the domains.  
When you add a directory for this environment, select the Active Directory (Integrated Windows  
Authentication) option.  
For more information, see:  
In some scenarios, you may need to create this file.  
“Configure Active Directory Connection to the Service,” on page 42  

Multi-Forest Active Directory Environment Without Trust Relationships  

A multi-forest Active Directory deployment without trust relationships allows you to sync users and groups  
from multiple Active Directory domains across forests without a trust relationship between the domains. In  
this environment, you create multiple directories in the service, one directory for each forest.  
The type of directories you create in the service depends on the forest. For forests with multiple domains,  
select the Active Directory (Integrated Windows Authentication) option. For a forest with a single domain,  
select the Active Directory over LDAP option.  
For more information, see:  
In some scenarios, you may need to create this file.  
“Configure Active Directory Connection to the Service,” on page 42  

Create a Domain Host Lookup File to Override DNS Service Location  (SRV) Lookup  

When you create a directory of type Active Directory (Integrated Windows Authentication), the This  
Directory supports DNS Service Location option is enabled by default and cannot be changed. When you  
create a directory of type Active Directory over LDAP, you have the choice of enabling this option. If this  
option is enabled, DNS Service Location lookup is used to select domain controllers. However, in certain  
scenarios, using DNS Service Location lookup may not be preferred.  
The connector DNS Service Location (SRV) lookup is currently not site aware. If you have a global Active  
Directory deployment, with multiple domain controllers across different geographical locations for a  
domain, a non-optimal domain controller might be selected. This can lead to latency, delays, or timeouts  
when VMware Identity Manager tries to communicate with the domain controller.  
For a global Active Directory deployment with multiple domain controllers across different geographical  
locations, to ensure an optimal configuration, create a domain_krb.propertiesfile to override the SRV  
lookup and add to it specific domain to host values that take precedence over SRV lookup. Create this file if  
you are using either Active Directory (Integrated Windows Authentication) or Active Directory over LDAP  
with the DNS Service Location option enabled.  
IMPORTANT You must create the domain_krb.propertiesfile before you create the VMware Identity  
Manager directory.  

Integrating with Active Directory  

Procedure  
Log in to the virtual appliance as the root user.  
Change directories to /usr/local/horizon/confand create a file called domain_krb.properties.  
Edit the domain_krb.propertiesfile to add the list of the domain to host values.  
Use the following format:  
<domain>=<host:port>,<host2:port>,<host3:port>  
For example:  
example.com=examplehost1.example.com:389,examplehost2.example.com:389  
IMPORTANT Domain names must be in lowercase. Mixed case or uppercase are not allowed.  
Change the owner of the domain_krb.propertiesfile to horizonand group to wwwusing the following  
command.  
chown horizon:www /usr/local/horizon/conf/domain_krb.properties  
Restart the service using the following command.  
service horizon-workspace restart  

Managing User Attributes that Sync from Active Directory  

During the VMware Identity Manager service setup you select Active Directory user attributes and filters to  
specify which users sync in the VMware Identity Manager directory. You can change the user attributes that  
sync from the administration console, Identity & Access Management tab, Setup > User Attributes.  
Changes that are made and saved in the User Attributes page are added to the Mapped Attributes page in  
the VMware Identity Manager directory. The attributes changes are updated to the directory with the next  
sync to Active Directory.  
The User Attributes page lists the default directory attributes that can be mapped to Active Directory  
attributes. You select the attributes that are required, and you can add other Active Directory attributes that  
you want to sync to the directory.  
Table 41. Default Active Directory Attributes to Sync to Directory  
VMware Identity Manager Directory Attribute Name  
Default Mapping to Active Directory Attribute  
userPrincipalName  
distinguishedName  
employeeId  
userPrincipalName  
distinguishedName  
employeeID  
domain  
canonicalName. Adds the fully qualified domain name of  
object.  
disabled (external user disabled)  
userAccountControl. Flagged with UF_Account_Disable  
When an account is disabled, users cannot log in to access their  
applications and resources. The resources that users were  
entitled to are not removed from the account so that when the  
flag is removed from the account users can log in and access  
their entitled resources  
phone  
telephoneNumber  
sn  
lastName  
firstName  
givenName  
VMware Identity Manager Directory Attribute Name  
Default Mapping to Active Directory Attribute  
email  
mail  
userName  
sAMAccountName.  

Select Attributes to Sync with Directory  

When you set up the VMware Identity Manager directory to sync with Active Directory, you specify the  
user attributes that sync to the directory. Before you set up the directory, you can specify on the User  
Attributes page which default attributes are required and add additional attributes that you want to map to  
Active Directory attributes.  
When you configure the User Attributes page before the directory is created, you can change default  
attributes from required to not required, mark attributes as required, and add custom attributes.  
After the directory is created, you can change a required attribute to not be required, and you can delete  
custom attributes. You cannot change an attribute to be a required attribute.  
When you add other attributes to sync to the directory, after the directory is created, go to the directory’s  
Mapped Attributes page to map these attributes to Active Directory Attributes.  
IMPORTANT If you plan to sync XenApp resources to VMware Identity Manager, you must make  
distinguishedName a required attribute. You must specify this before creating the  
VMware Identity Manager directory.  
Procedure  
In the administration console, Identity & Access Management tab, click Setup > User Attributes.  
In the Default Attributes section, review the required attribute list and make appropriate changes to  
reflect what attributes should be required.  
In the Attributes section, add the VMware Identity Manager directory attribute name to the list.  
Click Save.  
The default attribute status is updated and attributes you added are added on the directory’s Mapped  
Attributes list.  
 
After the directory is created, go to the Manage > Directories page and select the directory.  
Click Sync Settings > Mapped Attributes.  
In the drop-down menu for the attributes that you added, select the Active Directory attribute to map  
to.  
 
Click Save.  
The directory is updated the next time the directory syncs to the Active Directory.  
Configure Active Directory Connection to the Service  
In the administration console, specify the information required to connect to your Active Directory and  
select users and groups to sync with the VMware Identity Manager directory.  
The Active Directory connection options are using Active Directory over LDAP or using Active Directory  
Integrated Windows Authentication. Active Directory over LDAP connection supports DNS Service  
Location lookup by default. With Active Directory Integrated Windows Authentication, you configure the  
domain to join.  
 
Prerequisites  
 
See “Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup,” on page 40.  
In some scenarios, you may need to create this file.  
 
Select the required default attributes and add additional attributes on the User Attributes page. See  
Select Attributes to Sync with Directory,” on page 42.  
IMPORTANT If you plan to sync XenApp resources with VMware Identity Manager, you must make  
distinguishedName a required attribute. You must make this selection before creating a directory as  
attributes cannot be changed to be required attributes after a directory is created.  
 
List of the Active Directory groups and users to sync from Active Directory.  
For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN  
password.  
 
For Active Directory Integrated Windows Authentication, the information required includes the  
domain’s Bind user UPN address and password.  
If Active Directory is accessed over SSL, a copy of the SSL certificate is required.  
For Active Directory Integrated Windows Authentication, when you have multi-forest Active Directory  
configured and the Domain Local group contains members from domains in different forests, make  
sure that the Bind user is added to the Administrators group of the domain in which the Domain Local  
group resides. If this is not done, these members are missing from the Domain Local group.  
Procedure  
 
In the administration console, open the Identity & Access Management tab.
 
On the Directories page, click Add Directory.  
Enter a name for this VMware Identity Manager directory.  
Select the type of Active Directory in your environment and configure the connection information.  
Option  
Description  
Active Directory over LDAP  
Select the connector from the drop-down menu that syncs with Active  
Directory.  
If this Active Directory is used to authenticate users, click Yes.  
If a third-party identity provider is used to authenticate users, click  
No. After you configure the Active Directory connection to sync users  
and groups, go to the Identity & Access Management > Manage >  
Identity Providers page to add the third-party identity provider for  
authentication.
In the Search Attribute field, select the account attribute that contains  
username.  
 
If the Active Directory does not use DNS Service Location lookup,  
deselect the check box and enter the Active Directory server host name  
and port number.  
If Active Directory requires access over SSL, select the checkbox below  
and provide the Active Directory SSL certificate.  
To configure the directory as a global catalog, see the Multi-Domain,  
Single Forest Active Directory Environment section in “Active  
Directory Environments”.  
 
In the Base DN field, enter the DN from which to start account  
searches. For example, OU=myUnit,DC=myCorp,DC=com.  
In the Bind DN field, enter the account that can search for users. For  
example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.  
 
After you enter the Bind password, click Test Connection to verify  
that the directory can connect to your Active Directory.  
Active Directory (Integrated  
Windows Authentication)  
 
Select the connector from the drop-down menu that syncs with Active  
Directory .  
 
If this Active Directory is used to authenticate users, click Yes.  
If a third-party identity provider is used to authenticate users, click  
No. After you configure the Active Directory connection to sync users  
and groups, go to the Identity & Access Management > Manage >  
Identity Providers page to add the third-party identity provider for  
authentication.  
 
In the Directory Search Attribute field, select the account attribute that  
contains username.  
 
 
Enter the name of the Active Directory domain to join. Enter that  
domain’s admin user name and password.  
In the Bind User UPN field, enter the User Principal Name of the user  
who can authenticate with the domain. For example,  
UserName@example.com.  
 
Enter the Bind User password.  
 
 
Click Save & Next.  
The page with the list of domains appears.  
For Active Directory over LDAP, the domains are listed with a checkmark.  
For Active Directory (Integrated Windows Authentication), select the domains that should be  
associated with this Active Directory connection.  
NOTE If you add a trusting domain after the directory is created, the service does not automatically  
detect the newly trusting domain. To enable the service to detect the domain, the connector must leave  
and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the  
list.  
Click Next.  
Verify that the VMware Identity Manager directory attribute names are mapped to the correct Active  
Directory attributes. If not, select the correct Active Directory attribute from the drop-down menu. Click  
Next.  
Click + to select the groups you want to sync from Active Directory to the directory, and click Next.  
NOTE When you sync a group, any users that do not have Domain Users as their primary group in  
Active Directory are not synced.  
 
Click + to add additional users. For example, enter as  
CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.  
To exclude users, create a filter to exclude some types of users. You select the user attribute to filter by,  
the query rule, and the value.  
Click Next.  
 
 
 
Review the page to see how many users and groups are syncing to the directory and to view the sync  
schedule.  
To make changes to users and groups, or to the sync frequency, click the Edit links.  
 
Click Sync Directory to start the sync to the directory.  
The connection to the Active Directory is complete and the users and groups you selected are added to the  
directory.  
What to do next  
 
Set up authentication methods. After users and groups sync to the directory, if the connector is also  
used for authentication, you can set up additional authentication methods on the connector. If a third  
party is the authentication identity provider, configure that identity provider in the connector.  
 
Review the default access policy. The default access policy is configured to allow all appliances in all  
network ranges to access the Web browser, with a session time out set to eight hours or to access a  
client app with a session time out of 2160 hours (90 days). You can change the default access policy and  
when you add Web applications to the catalog, you can create new ones.  
 
Apply custom branding to the administration console, user portal pages and the sign-in screen.  
 
         

hferch has written 76 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">